1 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
3 * Copyright 2004-2005 The OpenLDAP Foundation.
4 * Portions Copyright 2004 Pierangelo Masarati.
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted only as authorized by the OpenLDAP
11 * A copy of this license is available in file LICENSE in the
12 * top-level directory of the distribution or, alternatively, at
13 * <http://www.OpenLDAP.org/license.html>.
16 * This work was initially developed by Pierangelo Masarati for inclusion
17 * in OpenLDAP Software.
24 #include <ac/stdlib.h>
27 #include <ac/string.h>
28 #include <ac/socket.h>
29 #include <ac/unistd.h>
35 #include "slapcommon.h"
41 AttributeDescription *desc,
47 char accessmaskbuf[ACCESSMASK_MAXLEN];
49 rc = access_allowed_mask( op, e, desc, nval, ACL_AUTH, NULL, &mask );
51 fprintf( stderr, "%s%s%s: %s\n",
52 desc->ad_cname.bv_val,
53 ( val && !BER_BVISNULL( val ) ) ? "=" : "",
54 ( val && !BER_BVISNULL( val ) ) ?
55 ( desc == slap_schema.si_ad_userPassword ? "****" : val->bv_val ) : "",
56 accessmask2str( mask, accessmaskbuf, 1 ) );
62 slapacl( int argc, char **argv )
64 int rc = EXIT_SUCCESS;
65 const char *progname = "slapacl";
66 Connection conn = { 0 };
68 OperationBuffer opbuf;
70 Entry e = { 0 }, *ep = &e;
75 slap_tool_init( progname, SLAPACL, argc, argv );
80 LDAP_STAILQ_FOREACH( bd, &backendDB, be_next ) {
81 if ( bd != be && backend_startup( bd ) ) {
82 fprintf( stderr, "backend_startup(#%d%s%s) failed\n",
84 bd->be_suffix ? ": " : "",
85 bd->be_suffix ? bd->be_suffix[0].bv_val : "" );
94 argv = &argv[ optind ];
97 op = (Operation *) &opbuf;
98 connection_fake_init( &conn, op, &conn );
100 conn.c_listener = &listener;
101 conn.c_listener_url = listener_url;
102 conn.c_peer_domain = peer_domain;
103 conn.c_peer_name = peer_name;
104 conn.c_sock_name = sock_name;
106 op->o_transport_ssf = transport_ssf;
107 op->o_tls_ssf = tls_ssf;
108 op->o_sasl_ssf = sasl_ssf;
110 if ( !BER_BVISNULL( &authcID ) ) {
111 if ( !BER_BVISNULL( &authcDN ) ) {
112 fprintf( stderr, "both authcID=\"%s\" "
113 "and authcDN=\"%s\" provided\n",
114 authcID.bv_val, authcDN.bv_val );
119 rc = slap_sasl_getdn( &conn, op, &authcID, NULL,
120 &authcDN, SLAP_GETDN_AUTHCID );
121 if ( rc != LDAP_SUCCESS ) {
122 fprintf( stderr, "authcID: <%s> check failed %d (%s)\n",
124 ldap_err2string( rc ) );
129 } else if ( !BER_BVISNULL( &authcDN ) ) {
132 rc = dnNormalize( 0, NULL, NULL, &authcDN, &ndn, NULL );
133 if ( rc != LDAP_SUCCESS ) {
134 fprintf( stderr, "autchDN=\"%s\" normalization failed %d (%s)\n",
136 ldap_err2string( rc ) );
140 ch_free( authcDN.bv_val );
144 if ( !BER_BVISNULL( &authzID ) ) {
145 if ( !BER_BVISNULL( &authzDN ) ) {
146 fprintf( stderr, "both authzID=\"%s\" "
147 "and authzDN=\"%s\" provided\n",
148 authzID.bv_val, authzDN.bv_val );
153 rc = slap_sasl_getdn( &conn, op, &authzID, NULL,
154 &authzDN, SLAP_GETDN_AUTHZID );
155 if ( rc != LDAP_SUCCESS ) {
156 fprintf( stderr, "authzID: <%s> check failed %d (%s)\n",
158 ldap_err2string( rc ) );
163 } else if ( !BER_BVISNULL( &authzDN ) ) {
166 rc = dnNormalize( 0, NULL, NULL, &authzDN, &ndn, NULL );
167 if ( rc != LDAP_SUCCESS ) {
168 fprintf( stderr, "autchDN=\"%s\" normalization failed %d (%s)\n",
170 ldap_err2string( rc ) );
174 ch_free( authzDN.bv_val );
179 if ( !BER_BVISNULL( &authcDN ) ) {
180 fprintf( stderr, "authcDN: \"%s\"\n", authcDN.bv_val );
183 if ( !BER_BVISNULL( &authzDN ) ) {
184 fprintf( stderr, "authzDN: \"%s\"\n", authzDN.bv_val );
187 if ( !BER_BVISNULL( &authzDN ) ) {
191 if ( !BER_BVISNULL( &authcDN ) ) {
192 op->o_conn->c_dn = authcDN;
193 op->o_conn->c_ndn = authcDN;
196 op->o_conn->c_dn = authzDN;
197 op->o_conn->c_ndn = authzDN;
200 } else if ( !BER_BVISNULL( &authcDN ) ) {
201 op->o_conn->c_dn = authcDN;
202 op->o_conn->c_ndn = authcDN;
207 assert( !BER_BVISNULL( &baseDN ) );
208 rc = dnPrettyNormal( NULL, &baseDN, &e.e_name, &e.e_nname, NULL );
209 if ( rc != LDAP_SUCCESS ) {
210 fprintf( stderr, "base=\"%s\" normalization failed %d (%s)\n",
212 ldap_err2string( rc ) );
218 if ( op->o_bd == NULL ) {
219 /* NOTE: if no database could be found (e.g. because
220 * accessing the rootDSE or so), use the frontendDB
221 * rules; might need work */
222 op->o_bd = frontendDB;
229 fprintf( stderr, "%s: no target database "
230 "has been found for baseDN=\"%s\"; "
231 "you may try with \"-u\" (dry run).\n",
232 baseDN.bv_val, progname );
237 if ( !be->be_entry_open ||
238 !be->be_entry_close ||
240 !be->be_id2entry_get )
242 fprintf( stderr, "%s: target database "
243 "doesn't support necessary operations; "
244 "you may try with \"-u\" (dry run).\n",
250 if ( be->be_entry_open( be, 0 ) != 0 ) {
251 fprintf( stderr, "%s: could not open database.\n",
259 id = be->be_dn2id_get( be, &e.e_nname );
261 fprintf( stderr, "%s: unable to fetch ID of DN \"%s\"\n",
262 progname, e.e_nname.bv_val );
266 if ( be->be_id2entry_get( be, id, &ep ) != 0 ) {
267 fprintf( stderr, "%s: unable to fetch entry \"%s\" (%lu)\n",
268 progname, e.e_nname.bv_val, id );
277 (void)print_access( op, ep, slap_schema.si_ad_entry, NULL, NULL );
278 (void)print_access( op, ep, slap_schema.si_ad_children, NULL, NULL );
280 for ( a = ep->e_attrs; a; a = a->a_next ) {
283 for ( i = 0; !BER_BVISNULL( &a->a_nvals[ i ] ); i++ ) {
284 (void)print_access( op, ep, a->a_desc,
292 for ( ; argc--; argv++ ) {
294 AttributeDescription *desc = NULL;
295 struct berval val = BER_BVNULL,
298 char accessmaskbuf[ACCESSMASK_MAXLEN];
300 slap_access_t access = ACL_AUTH;
302 if ( attr == NULL ) {
306 val.bv_val = strchr( attr, ':' );
307 if ( val.bv_val != NULL ) {
308 val.bv_val[0] = '\0';
310 val.bv_len = strlen( val.bv_val );
314 accessstr = strchr( attr, '/' );
315 if ( accessstr != NULL ) {
318 access = str2access( accessstr );
319 if ( access == ACL_INVALID_ACCESS ) {
320 fprintf( stderr, "unknown access \"%s\" for attribute \"%s\"\n",
322 if ( continuemode ) {
329 rc = slap_str2ad( attr, &desc, &text );
330 if ( rc != LDAP_SUCCESS ) {
331 fprintf( stderr, "slap_str2ad(%s) failed %d (%s)\n",
332 attr, rc, ldap_err2string( rc ) );
333 if ( continuemode ) {
339 rc = access_allowed_mask( op, ep, desc, valp, access,
343 fprintf( stderr, "%s access to %s%s%s: %s\n",
345 desc->ad_cname.bv_val,
346 val.bv_val ? "=" : "",
347 val.bv_val ? val.bv_val : "",
348 rc ? "ALLOWED" : "DENIED" );
351 fprintf( stderr, "%s%s%s: %s\n",
352 desc->ad_cname.bv_val,
353 val.bv_val ? "=" : "",
354 val.bv_val ? val.bv_val : "",
355 accessmask2str( mask, accessmaskbuf, 1 ) );
362 if ( !BER_BVISNULL( &e.e_name ) ) {
363 ber_memfree( e.e_name.bv_val );
365 if ( !BER_BVISNULL( &e.e_nname ) ) {
366 ber_memfree( e.e_nname.bv_val );
368 if ( !dryrun && be ) {
370 be_entry_release_r( op, ep );
373 be->be_entry_close( be );
376 LDAP_STAILQ_FOREACH( bd, &backendDB, be_next ) {
378 backend_shutdown( bd );